49 lines
1.5 KiB
Markdown
49 lines
1.5 KiB
Markdown
# Tips & Tricks for Binary Exploitations
|
|
|
|
## Toggle ASLR
|
|
|
|
State of ASLR can be switched via sysctl parameter `randomize_va_space`. [Kernel.org documentation](https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html#randomize-va-space) displays the states of the switch.
|
|
|
|
* Take a look of the current stay via
|
|
```sh
|
|
sysctl kernel.randomize_va_space
|
|
```
|
|
|
|
Disable ASLR temporarily via
|
|
```sh
|
|
echo 0 | sudo tee /proc/sys/kernel.randomize_va_space
|
|
```
|
|
|
|
Disable it permanently via
|
|
```sh
|
|
echo "kernel.randomize_va_space = 0" > /etc/sysctl.d/01-disable-aslr.conf
|
|
```
|
|
|
|
## Keep stdin open
|
|
|
|
Sometimes input of payloads via stdin pipes cannot be done directly.
|
|
If you call an interactive shell in the exploited binary it may not stay open if you pipe the payload as is.
|
|
|
|
Therefore, the payload should be piped in the following way
|
|
```sh
|
|
(echo -e 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBu\x06' ; cat ) | ./binary
|
|
```
|
|
|
|
Therein, it is important to use the parameters `-e` and -- depending on the binary `-n` -- for the input being interpeted raw and not as ascii values.
|
|
|
|
Debug the input via `xxd`
|
|
```sh
|
|
echo -e '\xde\xad\xc0\xde' | xxd
|
|
```
|
|
|
|
## NULL bytes in Adresses
|
|
|
|
NULL bytes `\x00` in an address stop the execution of the payload input as a whole. An exception is `read()`, it does not stop on NULL bytes
|
|
|
|
## Read from running process
|
|
|
|
Read from a running process' stdout by attaching to the process via strace and read in the following way
|
|
```sh
|
|
strace -e read -p <ProcessId>
|
|
```
|